Introduction

The first idea of writing a packet sniffer program came from a reply to my comments on one of the projects named "NetSend ( Sending popup messenger messages between computers )" by Marc Clifton. Marc asked me "What about receiving message". To say the truth, I didn't know how I could do that. I knew a program which I had downloaded and tested years ago. But I didn't know the way of it. So I made a search on net about programs that can receive messages created by NetSend. And I noticed that many of them were using packet sniffer libraries. And then decided to learn how it is done. My search attempts gave a result and I found a free library named WinPCap.

After previewing the WinPCap source code , my first trial was to write a wrapper class for it. But what I did was not what I expected. And I had no control over the code. So I decided to port the base library of WinPCap named PacketNt.dll to C#. After many weeks and debug trials, I finished it. And then I wrote a new class to make capture process easy. And all these happen, a new class was created, Function. Yes, now I could catch packets from the network card but I wasn't able to display them. Because I had no idea what they meant. My next search was to find a program with free source code that can display packets. Yes, yes, as you guess, I found it. Its name is Etheral. It is really a great program and free.

First I traced the packets captured by Etheral and built some protocols and was able to display them in my test program. And then (after getting the source code of it ), I used the source code to learn the protocol structures. Now my program supports over 15 protocols. My aim is to add all protocols supported by Etheral to my program and to make it available to all of you. At this point, I will be very happy if some of you are interested in this kind of projects, to finish it. I am alone, and to port all protocols to C# is absolutely time consuming and tiring.

Project contents

Pacanal name comes from PACket ANALyzer. It is the main project file which enables to communicate with other classes and to display captured packets. Other classes are shown below:

ColumnSorter

This class enables to sort list view items. The class has the following members:

publicint CurrentColumn = 0; // Column index to be sorted

publicint Direction = 0; // 0 : Ascending, 1 : Descending

publicint ColumnType = 0;
// 0 : Integer , 1 : Double , 2 : String

publicbool CaseSensitivity = true;

publicbool Enabled = true;

CurrentColumn defines which column will be used to sort the ListView. Direction enables to sort data from lower to higher or higher to lower. ColumnType defines what format the desired column is. CaseSenitivity enables to sort string data in case order and Enabled helps enabling or disabling the sort method to run.

I tried to make my program like Etheral. So many features are like Etheral's features. Those are as follows:

You can limit captured packet to a specified size

You can stop capturing when a specified count of packets is reached

You can stop capturing when a specified time is reached

You can stop capturing when specified bytes is reached

You can stop capturing regardless those above

You can capture packets in real time mode

You can scroll packets list in real time mode

You can resolve MAC names

You can see the statistic of the captured packets , their percentages in all packets, the running time of the capture process and the total bytes captured

You can change the hardware filter as your needs

You can change the capture mode

You can highlight the protocol data by clicking protocol node in TreeView node

You can highlight the protocol data by clicking Hex data display area and then the protocol node will be highlighted

You can save all or a selected or all selected packets in the format that Etheral understands

You can load a packet file for reviewing

You can sort the captured packets as your will

You can highlight a node and its corresponding value in the hex data display by clicking the hex data display control

You can copy data from hex data. There are two ways to do this

Select the node of which its data is being copied and then click the "Copy" item into the "Edit" menu or click the Copy button on the toolbar

Click the right button of the mouse when it is over the hex-data display and then click "Select start point" or "Select end point". do this both for the start and stop points. And then later click "Lock the region" and then click "Copy" in the "Edit" menu or on the toolbar

With those two ways, the selected data as being string will be copied to clipboard into hex format.

You can delete a packet by selecting it in the ListView control and then clicking the "Delete selected packet" button on the toolbar

You can capture messages sent by NetSend. Use Capture->Capture Net Send

You can manually install or remove the npf.sys driver by using "Driver" menu items. Use Driver->Install driver, Driver->Uninstall driver

You can enable or disable displaying list view columns. Use Options->Columns options

You can change the view of the program by adding transparency to it. Use Options->Transparency options

You can view capture statistics whenever you want. Use View->Show statistics, View->Hide statistics

Requirements

To run the code you need to have those below:

Windows NT / 2K / XP

A PC with an Ethernet card (LOL)

NDIS packet capture driver (npf.sys) installed

npf.sys can be downloaded from the site http://winpcap.polito.it/ which is the one I used. But the project zip file contains necessary npf.sys files for both Win NT and Win 2K/XP. If npf.sys hasn't been installed yet, the program will install it for you.

Warning

After downloading the project files. First create a solution. Then add Pacanal and MyClassess projects into the solution. Don't forget giving a reference to the MyClasses in the project Pacanal.

Conclusion

I tested my program on a PC running Windows 2000 OS and Win NT. For XP, I haven't tried it, but probably it should work. There may be bugs that I couldn't catch or see yet. Please inform me about any bug you find.

I hope you like and find useful this source code and program.

Update - 16/09/2003

SQL Server/Sybase TDS packet parser class and a display form which enables to analyze the byte counts between IP/MAC addresses were added by Keith Westley. So much thanks to Keith for using and supporting Pacanal and sharing her stuff with us.

Share

About the Author

Hi to all...
I am an alone programmer. i am not a specialist on programming but i love it. anyone who supports source code sharing is definetely my friend.
Because i am so poor on writing about myself, anyone who wants to learn more about me can feel free to contact me...

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

I am using Visual Studio 2008 C# and WinPcap 3.1. I got a clean compile and link for the application. However when I run the application and click on the Capture Option button I immediately get a System.ArgumentNullException in FormPacanal.cs at Line 1754. The code at that loocation is CapOptions.ShowDialog( this ); Has anyone else had this problem? If so, how did they fix it?

yeah but that involves a lot of overhead. I want to delete the unwanted packet as and when it arrives. and not iterate through the listview items.. and there is no item added event in the listview control and also, the item is initially added as empty here..

Without installing WinPCap 3.1, you can not use this application. If you have installed a latest version of WinPCap (check in Add/Remove Programs in Control Panel) released after WinPCap 3.1, please uninstall it and install WinPCap 3.1. It works.